Hi,

You can do DAI and IP Sourceguard without DHCP snooping:

http://packetlife.net/blog/2009/may/25/ip-source-guard-without-dhcp/

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swdynarp.html#wp1039773

Regards

Alain

Don't forget to rate helpful posts.

Thanks for your quick answers guys.

Basically sceanrio is there are two routers who are connected with switch on access ports and from that an upstream switch running dhcp.

R1    ---------------------------------- R2

             sw1 - Vlan2

   ------------  sw2 ------------- DHCP running

question asked to secure DHCP enviornment to immplement a solution on sw 1 that restricts ip traffic on untrust port g1/0/1 and g1/0/2 to the addresses of r1 and r2 respectively, Do not use DHCP snooping.

and I have already read the above articale you mentioned and wrote these two sol's but dont know its good or not so need more explanation on it or if someone tell me my sol is according to question requirement or not?

ip source binding 111.111.111 vlan 2 7.7.2.1 interface fa0/1

ip source binding 222.222.222 vlan 2 7.7.2.2 interface fa0/2

int range fa0/1 - 2

switchport mode access

switchport access vlan 2

ip verify source

-----------------------

wol2

arp access-list arpacl

permit ip host 7.7.2.1 mac host 111.111.111

permit ip host 7.7.2.2 mac host 222.222.222

exit

ip arp inspection filter arpacl vlan 2

int rang g1/0/1 - 2

no ip arp inspection trust

!